1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
/*
* Copyright (c) 2025 Ian Marco Moffett and L5 engineers
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _OS_MAC_H_
#define _OS_MAC_H_ 1
#include <sys/types.h>
#include <sys/mac.h>
/* Forward declarations */
struct mac_border;
struct proc;
/*
* MAC levels
*
* Processes or users with lower levels cannot
* access higher levels, higher levels can access
* lower levels.
*/
typedef enum {
MAC_GLOBAL,
MAC_RESTRICTED,
MAC_SECRET
} mac_level_t;
/*
* Mapping arguments for MAC
*
* @off: Mapping offset
* @len: Mapping length
* @flags: Optional flags
* @dp_res: Data pointer result written here
*/
struct mac_map_args {
off_t off;
size_t len;
int flags;
void **dp_res;
};
/*
* MAC operation hooks
*
* @map: Map a resource, return length
* @sync: Sync resource with driver
* @getattr: Get attributes of resource
*/
struct mac_ops {
ssize_t(*map)(struct mac_border *mbp, struct mac_map_args *args);
int(*sync)(struct mac_border *mbp, int flags);
int(*getattr)(struct mac_border *mbp, void *p, size_t len);
};
/*
* A MAC border sits inbetween a resource and the user
* and controls if they can access it or not.
*
* @level: MAC level of this border
* @ops: MAC operations for this border
*/
struct mac_border {
mac_level_t level;
struct mac_ops *ops;
};
/*
* Check creds with a specific process and a specific
* resource border.
*
* @procp: Process to check with border
* @mbp: Border to 'procp' is trying to access
*
* Returns zero if the check passed, otherwise a less than
* zero value if the check failed.
*/
int mac_check_creds(struct proc *procp, struct mac_border *mbp);
/*
* Map a resource into process address space by
* going through its border
*
* @mbp: Border of resource
* @off: Offset of mapping to make
* @len: Length of mapping to make
* @res: Result pointer is written here
* @flags: Optional flags
*
* Returns zero on success, otherwise a less than zero value
* on failure.
*/
ssize_t mac_map(struct mac_border *mbp, off_t off, size_t len, void **res, int flags);
/*
* Acquire a specific border using an ID
*
* @id: ID to lookup
*
* Returns the pointer pointer on success, otherwise a NULL
* value on failure.
*/
struct mac_border *mac_get_border(border_id_t id);
#endif /* !_OS_MAC_H_ */
|
